Malware
Ondritols
aka Onedrivetools
According to Symantec, this malware has been deployed against IT services companies in the U.S.
According to Symantec, this malware has been deployed against IT services companies in the U.S. and Europe. A multi-stage backdoor, the first stage is a downloader that authenticates to Microsoft Graph API and downloads the second stage payload from OneDrive and executes it. The main payload will download a publicly available file from GitHub. It will then create a folder in OneDrive named deviceId_n_<ip address> for each infected machine and upload a file to OneDrive to signal the attackers the status of a new infection.
Family metadata imported from Malpedia (Fraunhofer FKIE).